Security

Hello i got a client in which he would like to time out wireless users  that are using 802.1x....

For example

a user connect to the wirleess network and after 4 hours the users will be disconnected from the wireless network... and if he wants to keep using the wireless network he will need to reconnect again...

If this possible?

If its not... do any of you guys got an idea of how to solve this issue.

The issue

Meeting room and around the meeting room there are a lot of working cubicles and the issue is that he does not want that after they finish their meeting those employees  to be still on the wireless network after 2 or 3 hours... he would like to time out those connnection as they will just connect with the ethernet cable.

Regardless of what you do, most 802.1x supplicants automatically reconnect users, so it might not be possible to do what you need...

Okay collin

Thank you very much for your time!

I also was trying to manually reduce the EIRP maybe like an option... but i dont think that will help that much... the cubicles are all around the meeting room.... and the only thing that is between the metting room and the cubicles is a glass...  so you can imaging that wont help...

Do you have any idea for this ? i cant really open a case as this is not like an issue its more like an special request of the client tho... but  still dont  find the correct option for it...

Nightshade1,

Even though users are "connected" to the wireless network, it does not mean they are contributing a great deal to the utilization/contention of the network.  Many clients, if not being used try to sleep and send as little data as possible.  It is users who are actively sending traffic that contribute the most to the utilization.  If the wireless users who are in the cubicles are using wireless, they might want to just add an additional access point to deal with them, if possible.

If you are dropping broadcasts at the Virtual AP level, that goes a long way to suppressing random data from clients.  

If users in the cubicles plug in, some supplicants like the Lenovo and in the Advanced Properties of Intel Clients (http://www.intel.com/support/wireless/wlan/sb/CS-028815.htm)  allow you to disable the wireless NIC when a user plugs in wired and that might allow you to accomplish what you need.

Thanks for the comment Collin but this client is a bit special.. and was expecting the controller to do everything if you know what i mean....

Im dropping broadcast as they dont need multicast on the wireless...(as on the option it says drop multicast and broadcast) i have read already many times you mention on other treads that we can drop broadcast to improve the performance as the broadcast is the enemy of the wifi.. along with the band steering and making sure that wirelesss and wired users are not in the same vlan, plus not having many SSIDs( iread an insteresting doc of the impact of multiple SSIDs somewhere here).. we just got one as he does not requeire Guest access.   I have took note of the recommendation given by aruba experts here :)  and ill keep taking notes if more are coming well more that i dont have on my notes.

They dont want to add addition APs... as they just bough it to test the solution ont he meeting room, if they like it and they should! hehe they will buy more...

About the supplicants ill have to talk with the client about it, im not sure what wireless card brand he has... :)

Now i was looking on some option in which you will need x amount of RSSI to stay connected but i cant find it so i guess is not possible...

Anyways thanks a lot for your time!

That would be the local-probe-response-threshold parameter in the SSID profile.  A whole thread about it is here:  http://community.arubanetworks.com/t5/Campus-WLAN-and-High-Density-Wi/client-not-connecting-to-nearest-ap/m-p/23064/highlight/true#M56

It does not allow clients below a certain threshold to connect.  You can start with 30.  Just like every other infrastructure parameter that changes the RF t is very important that you ensure that you have good coverage for your clients when you use this parameter.   Otherwise you are forcing your clients to connect to access points that are suboptimal, and the overall experience will be worse.

Back in the day, when there was NO 802.11n, and bandwidth was precious and access points were very expensive it was important to ration the amount of access given to users.  If right now users are not perceiving any issues without changing anything, I say leave it alone, rather than change another variable.  It is the user experience that is most important, more than anything.

I read about that already but in another topic in which you were telling someone about how to not let far away guest users to no associate with the AP

I dont know if that would help as the users are going to the meeting room and then leave to their cubicles does this disconnect them from the wireless if they don thave the minimum ammount of RSSI? 

I could try that and also reducing the EIRP power? to maybe 15?

Does wireless cards need a minimum ammount of EIRP to connect to the AP? i mean if i reduce it too much it wont connnect? or something like that?

Hehe sorry collin i know i ask too many questions...

Ill talk him about what you said of the user experience...

What he is afraid is that if people leave to their cubicles he might have 50 users  at the end of the day connnected that single AP he says... and he didnt want that...

You are correct.  IT will NOT disassociate you if you are too far away.

You can try the Station Handoff Assist feature here: How Does Handoff Assist Work? https://kb.arubanetworks.com/app/answers/detail/a_id/297

Also check out the article here:  How do I determine if handoff assist is working or not? https://kb.arubanetworks.com/app/answers/detail/a_id/1177

Yeah i just saw that on the tread you mention before... iwas connecing remotely to my laboratory to check that on our demo wireles controller! thanks!! :)

Thanks a lot for the links! ill test it on my lab tomorrow on the office!

I tried to configure it today but it doenst seems to work...

My config

(Alternet_Lab) (config) # show rf optimization-profile

RF Optimization Profile List
----------------------------
Name      References  Profile Status
----      ----------  --------------          
default   3           

Total:1

(Alternet_Lab) (config) # show rf optimization-profile default

RF Optimization Profile "default"
---------------------------------
Parameter               Value
---------               -----
Station Handoff Assist  Enabled
RSSI Falloff Wait Time  4 sec
Low RSSI Threshold      25
RSSI Check Frequency    3 sec

(Alternet_Lab) (config) #show ap monitor stats ap-name ServerRoom_1 mac ac:81:12:a3:c0:e7


RSSI
----
avg-signal  low-signal  high-signal  count  duration (sec)
----------  ----------  -----------  -----  --------------
22          17          27           2718   88
Monitored Time:5143
Last Packet Time:245461
Uptime:245461

DoS State
----------
tx  old-tx  rx  old-rx  last-dos-time  ap-ev-time  sta-ev-time
--  ------  --  ------  -------------  ----------  -----------
0   0       0   0       0              0           0
Tarpit State
------------
probe-resp-cnt  assoc-resp-cnt  tarpit-auth-cnt  fake-ch-data-cnt  fake-bss-data-cnt  last-tarpit-time  last-tarpit-ev-time
--------------  --------------  ---------------  ----------------  -----------------  ----------------  -------------------
0               0               0                0                 0                  0                 0
Wired Containment State
-----------------------
last-dos-time  dos-frame-cnt  ap-ev-time  sta-ev-time
-------------  -------------  ----------  -----------
0              0              0           0
Handoff Assist                                    
--------------
rssi-index  cur-signal  old-cur-signal
----------  ----------  --------------
1           18          19
High Throughput Parameters
--------------------------
ht-type  primary-channel  sec-channel  gf-supported  40mhz-intolerance
-------  ---------------  -----------  ------------  -----------------
HT-40    44               48           0             0

I cant see any output on the logs... but i got it enable and it seems the RSSI value for that client is 22 and my RSSI Threehold is 25 and its not disonnecting...

As far i understand is that any value above 25 will be NOT disconnect  and all the ones below 25 will be deauthenticate... but its not happening....

Anything im missing?

Hi,

Setting local-probe-threshold to 25 does not mean client with SNR less than 25 will get deauth from AP.

What it means is, AP will not respond to prob-request from the client if SNR is less than 25. This helps client to roam to the best AP.

For e.g.

If I am connected to an AP and if there is no other AP near by with SNR higher than 25, than I may still be there connected to same AP even if I start moving away and SNR goes below 25.

For your requirement (not allow far away clients to connect to SSID), what you can do is, reduce the cell size for the SSID.

Under SSID profile, cut down the lower data rates from basic and transmit rates list.

For example:

Cut down  1,2 and 5 from G basic and transmit rate and just start from 6,9,11....

This will not allow clients to use 1,2 and 5 Mbps data rates. In most cases if client is far away from AP, the data rate falls down. Thus if data rate goes below 6, client will get deauth from AP.

Based on your requirement select proper data rates here.

Alap22,

He is using handoff Assist, not local-probe-response-threshold.

Yeah but i still cannot make it work :(

even if the config seems soo simple...